fiscal year report 2014 - world bank · fiscal year report 2014 internal audit vice presidency ......

Annual Fiscal Year

Report 2014

Internal Audit Vice Presidency

December 10, 2014

Pub

lic D

iscl

osur

e A

utho

rized

Pub

lic D

iscl

osur

e A

utho

rized

Pub

lic D

iscl

osur

e A

utho

rized

Pub

lic D

iscl

osur

e A

utho

rized

Pub

lic D

iscl

osur

e A

utho

rized

Pub

lic D

iscl

osur

e A

utho

rized

Pub

lic D

iscl

osur

e A

utho

rized

Pub

lic D

iscl

osur

e A

utho

rized

wb350881

Typewritten Text

93226

IADVP FY14 Annual Report I 2

Abbreviations and Acronyms

ADM Accountability and Decision Making

ADR Audit Director Roundtable

AG Vice President and Auditor General

CAE Chief Audit Executive

CAO Compliance Advisor/Ombudsman

CCSA Cross Cutting Solutions Area

CEB Corporate Executive Board

CIF Climate Investment Fund

CFO WBG Chief Financial Officer

CMU Country Management Unit

CRO WBG Chief Risk Office

CTR Controllers' Vice Presidency

ER Expenditure Review

ERM Enterprise Risk Management

FIF Financial Intermediary Fund

FM Financial Management

GAIN Global Audit Information Network

GP Global Practices

HR/HRS Human Resources

IAD Internal Audit Vice Presidency

IBRD International Bank for Reconstruction and Development

ICFR Internal Controls Over Financial Reporting

ICSID International Center for the Settlement of Investment Disputes

IDA International Development Association

IEG Independent Evaluation Group

IFC International Finance Corporation

IIA Institute of Internal Auditors

INT Integrity Vice Presidency

IPMP Integrated Project Management Plan

IPN Inspection Panel

IT Information Technology

ITS Information Technology Services

MIGA Multilateral Investment Guarantee Agency

OPCS Operations Policy and Country Services Vice Presidency

ORAF Operational Risk Assessment Framework

PDU President’s Delivery Unit

PP Partnership Program

PMA Partnership Management and Administration

SAP Systems, Applications and Products software

SCD Systematic Country Diagnostic

SMT Senior Management Team

SORT Systematic Operations Risk rating Tool

UN RIASRepresentatives of the Internal Audit Services of the United Nations Organizations and Multilateral Financial Institutions

VPU Vice Presidential Unit

WBG World Bank Group


Table of Contents

1. World Bank Group Internal Audit Vice Presidency . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2. Governance, Risk Management and Control – Executive Commentary . . . . . . . . . . 7

3. Management Response to the IAD FY14 Annual Report. . . . . . . . . . . . . . . . . . . . . . . . . . 15

4. Summary of Audit Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5. Summary of Advisory Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

6. Methodology and Professional Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

7. Appendix A: FY14 Work Program Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

8. Appendix B: IAD Reports Issued in FY14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

9. Appendix C: IAD’s Coverage in FY12-14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

10. Appendix D: Alignment of IAD’s FY15 WBG Coverage with WBG Change Agenda. . . . 52


1. World Bank Group Internal Audit Vice Presidency

IAD is an independent and objective assurance and advisory function designed to add value to the World BankGroup (WBG) by improving the operations of WBG’s entities. It assists the Bank Group in accomplishing itsobjectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of theorganization’s governance, risk management, and control processes. IAD also focuses on raising awareness ofrisks and controls, providing advice to management in developing control solutions, and monitoring theimplementation of management’s corrective actions to mitigate risks and strengthen controls. IAD’s work iscarried out in accordance with the Institute of Internal Auditors (IIA)’s International Professional PracticesFramework.

IAD reports to the President and is under the oversight of the Audit Committee. The Audit Committee of theBoard of Executive Directors has a mandate to assist the Board in overseeing the WBG’s finances, accounting,risk management and internal controls. The Audit Committee oversees the external auditors with respect tothe integrity of the financial statements for the entities and financial reporting for trust funds; the Integrity VicePresidency with respect to anti-fraud and anti-corruption measures; and IAD with respect to governance, riskmanagement, and internal controls. The Audit Committee’s responsibilities with respect to IAD include:

The review of IAD’s Terms of Reference and recommendation to the Board for approval.

The review of IAD’s annual Work Program and recommendation to the Board for approval.

The review of the results of IAD’s work covering operations and compliance with key provisions ofIBRD/IDA, IFC and MIGA’s charters and policies.

The review of the overall effectiveness of IAD.

On an ongoing basis, but at least quarterly, IAD briefs and updates the President and the Audit Committee onengagement outcomes and the progress of management action plans to improve the Group’s controls. IADalso briefs the Audit Committee on any changes to the annual Work Program that may occur as a result ofemerging risks, significant changes to the business, or requests from Management for advice on internalcontrol matters.

Internal Audit Vice Presidency‘s (“IAD”) Mandate

Oversight of IAD


Foreword from the Vice President and Auditor General

I am pleased to present IAD’s FY14 Annual Report, my first as WBG’s Vice Presidentand Auditor General. I could not think of a more challenging, yet exciting, time to takethe leadership of this important function. The Bank Group is in the midst of one of themost significant change processes it has undertaken in recent years, which affects allkey aspects of our business and how we operate: business models, client andstakeholder engagement, internal structure, people, processes, systems and culture.This comprehensive change process presents great opportunities and significantchallenges.

As the institution pursues these opportunities and tackles those challenges, InternalAudit is well poised to deliver on our core dual mandates: provide, as an independentfunction, objective assurance that key controls over the business activities of the WBGentities are well designed and operating effectively; and leverage our group wideremit and broad institutional exposure to provide advice and business insights thatadd value and support the achievement of our strategic priorities.

FY14 has been another significant milestone in IAD’s continuous journey to raise our line of sight whilst also buildingthe supporting infrastructure (people, processes, and tools) needed to deliver on this mandate. In that respect,significant initiatives undertaken by IAD during FY14 include:

Implementation of a significant staff rebalancing to upgrade our skills and align our human capital with the morecomplex requirements of a risk-based and strategy-centered audit model;

Completion of a skills diagnostic to identify our skills gaps and talent opportunities and to inform both ourtraining and recruitment priorities;

Development of a comprehensive and structured core curriculum to guide our investments in staff professionaldevelopment in the triple areas of business skills, technical skills, and soft skills;

Comprehensive revision of our end-to-end audit methodology to strengthen, but to also streamline, the auditdelivery process;

Selection of a new industry-leading audit tool to better leverage the latest enabling technology platform andsupport a more efficient and effective audit delivery; and

Investment in the ongoing development of a Data Analytics strategy in order to build up the tools, processes andskills needed to leverage institutional data and modern analytic tools in order to provide more and betterevidence-based insights to the institution.

These key investments to develop our people, to strengthen our processes and to modernize our tools will positionIAD to live up to our continued commitment to align our work with the strategic priorities of the institution and todeliver relevant and high quality reviews in support of those objectives. This strategic-alignment approach hasalready led our function to deliver, during FY14, a range of projects designed specifically to provide assurance oradvice on key areas of the ongoing reform agenda, such as: reviewing risk management and control aspects relatedto the integration of WBG’s Information and Technology Solutions, analyzing lessons learned from theimplementation of the Operational Risk Assessment Framework (ORAF) to inform the design of a new framework formanaging risks in operations, evaluating the Bank’s Environmental and Social Safeguards to support the ongoingreforms in that area, performing deep dives analyses of business processes related to fiduciary risks and ResourceManagement to identify efficiency improvements as part of the expenditures reviews, evaluating the existingjointness models to inform management’s decision-making over implementation the One WBG concept, assessingthe Bank’s open data initiative, etc. Our FY15 work program will build on this trend and further strengthen IAD’sstrategic orientation.

Hiroshi NakaVice President and Auditor General


A renewal of the World Bank Group (WBG) has been set in motion over the past couple of years. The endorsementof the first WBG Strategy by the Board of Governors during FY14 has provided the authorizing environment toreposition the WBG to achieve the dual goals of ending extreme poverty and boosting shared prosperity. The SeniorManagement Team (SMT) has launched a comprehensive and significant change process – encompassing structure,processes, and incentives to make WBG’s services more results-focused, evidence-based, and adaptive. The changeagenda is designed to drive the internal reforms necessary to achieve the new vision for the WBG, building on thesimplification and harmonization efforts undertaken to date.

Given the significance of this change agenda and its potentially profound ramifications for the institution, IAD hasopted to focus this year’s Annual Report on the key elements of this reform in our commentary on governance, riskmanagement and internal control. Whilst aligning our focus with the current institutional priorities, this choice alsopresents significant challenges:

a. The various components of the reform are in an early stage of implementation, including many of the structuralchanges that have been put in place starting in July 2014. For several areas, while high level blueprints provide thegeneral direction, crucial aspects of the actual implementation are being evaluated and not yet operationalized.Hence, there is an inherent limitation in our ability, at this early stage, to assess, or to opine on, the effectiveness ofgovernance, risk management and internal controls related to the implementation of the reforms.

b. As a result, the bulk of the commentary in this section provides a forward-looking perspective rather than aretrospective assessment and is informed, to a large degree, by plans formulated by Senior Management andpreliminary observations rather than an in-depth analysis of actual outcomes from empirical implementationexperience. Where applicable, the commentary highlights the proposed body of work that IAD plans to completethat will eventually provide evidence to support an objective assessment in each of the applicable areas.

Against this backdrop, this qualitative commentary is designed to provide constructive and forward-looking input toSenior Management, drawing on IAD’s body of knowledge and experience, including institutional risk assessmentexercises (such as the Bank’s annual risk scans, and IFC’s Top Risks Survey). Given the significance of the ongoingchange effort, IAD’s qualitative comments are explicitly anchored around the eight broad change objectives of thenew WBG Strategy.

1. Helping clients tackle the most important development challenges: The WBG is redesigning its approach tocountry engagement to better identify where it can have the greatest impact. The new country engagement modelincludes a Systematic Country Diagnostic (SCD) to identify key challenges and constrains to ending extreme povertyand boosting shared prosperity in the country to identify a selective program of engagement. As this new country-engagement model is intended to be evidence-driven, a key consideration for its successful implementation will bethe availability and quality of underlying data, particularly in countries with weak statistical systems. IAD’s past bodyof work across many areas of the institution has consistently highlighted significant gaps and issues related to eitherdata governance or data quality. Challenges associated with the completeness and quality of country level data haveindeed been acknowledged by the WBG in its strategy. Only one-quarter of WBG member countries have adequatecapacity and data to assess progress in poverty reduction and shared prosperity, and to account for sustainabledevelopment. To this end, the WBG has launched a new “Data for Goals” initiative, working with other developmentpartners, under which member countries will be requested to gather relevant data and improve access to anddissemination of these data through a global database.

2. Governance, Risk Management and Internal Control

Executive Commentary


Management has also created a Data Council to strengthen data governance. Whether the scope of these initiativesand the level of resources committed are commensurate with the magnitude of the existing gaps remains to bevalidated. IAD’s FY15 Work Program includes coverage of the Bank Group’s governance arrangements over the end-to-end process for country level data gathering (identification, collection, review and verification, use anddissemination, accountability over key decision points and overall guidelines on management and use of povertydata).

On the same topic of enhanced country engagement, the ongoing modernization of the Bank’s procurement andsafeguard policies is designed to further strengthen the country engagement model by providing greater flexibilityand a more adapted and comprehensive approach to country contexts and the types of WBG interventions. In thiscontext, a key challenge remains the clear delineation of roles between the Bank and the client given the increasedemphasis on building country capacity. The support of the Bank to the borrower will need to take into account thevarying levels of borrower capacity. The move towards greater focus on downstream implementation ofprocurement and safeguards supervision in the Bank (and not just as part of project preparation) is welcome, butwill need commensurate management attention and resources. IFC is also sharpening its focus on environmental,social and governance risks, drawing on lessons learned from recent operational experience, to directly supportclients in adopting and applying IFC’s Performance Standards, and strengthening their corporate governancepractices.

2. Delivering “integrated” world-class development solutions to clients: The successful operationalization of thenew strategy hinges on the ability of the Bank Group to marshal and enhance the combined resources and expertisewithin and across the Bank group entities in order to serve clients – the overarching objective of the WBG’s newoperating model, with the creation of the Global Practices (GPs) and the Cross Cutting Solutions Areas (CCSAs). Thisjoint WBG model is one of the key foundational elements underpinning the “Solutions WBG” envisioned by SeniorManagement. IFC is also establishing a new Global Client Services VPU that encompasses investments, advice, andclient relationships, as part of its new structure. A new WBG corporate results framework is expected to cascadecorporate priorities identified at the WBG Corporate Scorecard apex level to individual business units over time, sothat there is a system for assessing and measuring actions taken on corporate priorities. MIGA, whose guaranteebusiness revolves around leveraging, has established a new client servicing model characterized by increasedcountry focus and the establishment of key client service teams for targeted client engagement. For example, therecent pilot agreement between MIGA and IBRD to swap foreign exposures is a new risk management tool that isexpected to free up capacity and support additional business.

Although there is broad consensus on the strategic relevance of these goals, the initial implementation experiencehas also highlighted significant issues and challenges. Within the World Bank, challenges include: collaborationmechanisms and efficient process between GPs, CCSAs and Regions/Country Units; clarity of roles andresponsibilities; clearly understood rules of engagement amongst the various units in the new operating model;effective funding models that enforce corporate discipline while allocating budgetary resources in a transparent,timely, and efficient manner across the various layers of the delivery chain; staffing considerations that balancenecessary cost efficiencies with strategic delivery capabilities.

Challenges related to strengthening collaboration across entities of the Bank Group include necessary changes toalign and incentivize staff behavior towards working as One WBG. The increased level of integration under the newoperating model would also require effective management of inter-institutional business conflicts of interest. Theseconflicts could arise from the differing interests of the institutions or from the legitimate, but competing interests, of


Executive Commentary (contd.)


the clients of the different institutions within the group. IAD will review the process for managing inter-institutionalconflicts of interest as part of its planned FY15 Work Program coverage.

IAD is also well positioned to contribute to the development of a “Solutions WBG”, given our group-wide mandateand the ability to compare and contrast practices across WBG entities. During FY14, IAD’s advisory review of theWBG ITS Integration showcased the differences and similarities between the IT practices of the Bank and IFC andprovided detailed inputs to management on key risk and control aspects of the integration process. IAD’s recentreview of the existing institutional “jointness” arrangements was designed to distill lessons learned from existingcollaboration models within the Bank group to inform management’s approach in the operationalization of the GPsand CCSAs.

Another core component of the “Solutions WBG” is the introduction of a new approach to managing risks inoperations to foster informed risk-taking – by increasing the candor in risk assessment and reporting, reducingduplication of efforts for identifying and managing risks holistically, and by strengthening the systems to capture riskinformation in a coherent manner for staff and management. We strongly support management’s renewed focus oninformed risk-taking. As we have highlighted in our prior Annual Reports, in order to support informed risk-taking,two important enablers need to be in place: (i) a common institutional understanding of which risks are acceptableand which ones are not, i.e. a shared understanding of risk appetites and, (ii) clear accountability for ownership ofrisks in operations. The landscape of current industry practices suggests that there is no single industry standard or auniform approach for the design of institutional risk management functions. The critical feature is that the selectedarchitecture must fit the specific circumstances and needs of each organization, including its culture, governanceand oversight environment, risk profiles, size, complexity, and degree of operational autonomies within theorganization, etc. Additionally, the risk management architecture should not be static. Instead, it should evolve in adynamic manner as these key organizational circumstances and needs evolve. IAD’s retrospective review of theOperational Risk Assessment Framework in FY14 highlighted the importance of instilling and nurturing a shared riskculture for the successful roll-out of the new Systematic Operations Risk rating Tool (SORT) in Bank operations. Keyelements in this process should include: (i) outlining a common set of values and behaviors guiding risk managementand results culture; (ii) institutionalizing learning around informed risk management and learning from failure; and(iii) modeling of desired behaviors by Senior Management, especially when risks materialize. In the context of theplanned implementation of the new unified risk management framework for operations, clear division ofresponsibilities between the GPs, Regions, OPCS, and the newly constituted Risk Advisory Group (to review high-riskoperations) will be crucial for establishing clear accountability and ownership.. Management has modified theAccountability and Decision Making Framework (ADM) in Bank operations to reflect the new operating model inFY15.

An important development in the Bank’s risk management architecture during FY14 relates to the creation, underthe WBG Chief Risk Office (CRO), of a new Operational Risk department in addition to the already existing CreditRisk, and Market and Counterparty Risk functions. In addition, the CFO has established a Finance and RiskCommittee, which is intended to provide governance over finance and risk issues within the Bank. During FY14, IFCdeveloped an Enterprise Risk Management framework (ERM) to manage risks holistically and to provide a moreinformed basis for discussing IFC’s risk appetite. IFC has also established a new Corporate Risk and SustainabilityVPU that unifies transaction enabling services, risk management, and legal support. MIGA is also focusing on riskmanagement and reorganizing its risk function. During FY15, IAD plans to conduct advisory reviews of: the mappingof risk management roles and accountabilities across Finance units in the Bank; the processes for managingoperational risks (relating to people, processes and systems- distinct from risk within WBG operations); and the roll-out of the ADM framework in Bank operations.




3. Collaborative external partnerships aligned with the goals: The new WBG strategy recognizes that theresources of any one institution, the World Bank Group included, are inadequate to meet the emergingdevelopment challenges. Partnerships focused on the goals (partnerships with governments, the UN system,multilateral institutions, new and emerging donors, the private sector, and civil society) will be critical to maximizethe effectiveness of the Bank Group’s interventions. To this end, management has acknowledged the importance ofaligning the partnership programs with the strategic goals of the institution. The new management framework forpartnership programs is expected to provide for more consistent decision-making based on greater clarity on theBank’s roles and accountabilities and the choice of financing mechanism, with special attention to financialintermediary funds. However, fund-raising has been largely decentralized to date, and there has been limited focuson corporate management of partnership programs. At present, various models for the program secretariats aredeveloped on a case-by-case basis in the absence of institutional standards or guidelines. While the portfolio ofPartnership Programs (PPs) has grown significantly in recent years, the absence of adequate cost information makesit difficult to quantify all Project Management and Administration (PMA) costs, compare and contrast them acrossPPs, and determine their reasonableness. Rationalization, of both the size and the activities of in-house partnershipprogram secretariats, is needed to improve governance and oversight of partnership programs. Creating consensusamong donors on the “rules of engagement” is also important to increase the efficiency of donor-funded activities asit relates to trust fund operational and reporting requirements. Partnering with the private sector to scale up impactwill also be critical. In this regard, IFC is launching a client relationship model to develop long-term partnerships withclients according to their potential for development impact and their contribution to IFC profitability. During FY15,IAD will perform an advisory review of IFC’s management of client information to help IFC enhance the use of clientintelligence to identify and explore more business opportunities. As part of its FY15 coverage, IAD will also reviewthe WBG processes for donor reporting on Bank operations and the mapping of risks and accountabilities along thetrust funds lifecycle.

4. A Financially Strong WBG: To deliver on the Strategy and meet the goals, it is imperative that the institutiongrows its financial capacity to deliver more to clients and maximize impact. The new finance and risk frameworkestablished by the Group CFO aims to strengthen the WBG’s financial capacity, optimize expenditure, andstrengthen the capital base to meet client needs. Senior Management and the Board have approved a set ofimportant measures aimed at enhancing IBRD’s revenues and capacity, thereby providing the institution withimproved “margins for maneuver” to align its financial resources with its ambitious twin goals. Management is alsoenhancing the financial capacity by strengthening WBG's business model and by developing innovative approaches.For example, the new agreement between MIGA and IBRD to swap exposures is a new risk management tool that isexpected to free up capacity and support additional business. IBRD is also exploring the use of several innovativefinancial structures for hedging exposures or crowding-in private sector financing, “leveraging” IBRD’s preferredcreditor status. Concurrently, the group-wide Expenditure Review (ER) exercise is designed to achieve sustainablesavings on the cost base, while retaining or expanding the capacity to deliver value to clients.

One key aspect, however, that needs to be carefully monitored is the continued alignment of risk governance andoversight, in the financial area, as some significant changes take place in the near future. Such changes include, forexample: a) the strategic shift towards Finance and Treasury as an actual "line of business" rather than just aninternal support function, or b) the shift towards a more active and dynamic management of the bank's equity asopposed to the passive equity hedging strategy of the past few years. These changes are welcome and very much inline with the desire and need to build capacity and strengthen financial sustainability. However, the pursuit ofhigher returns goes hand in hand with a presumed willingness to take on more risks. Thus, there is a need to




continually monitor the financial risk management framework and governance/oversight processes to ensure thatthey remain commensurate with increased risk-taking and effective mechanisms are in place to independently andobjectively monitor, measure and report both risk exposures and returns. In addition, robust governancearrangements to monitor and periodically report on the achievement of the cost savings targets (after taking intoaccount the upfront costs involved) to Senior Management and the Board will also be important. Management willalso need to guard against possible erosion of cost savings over the medium term, which could offset the immediateinstitutional gains from the expenditure review savings. IAD’s FY15 work program includes an advisory engagementon the norming of Country Management Units (CMUs) to support management’s ongoing work on the ExpenditureReview exercise.

5. Knowledge, Learning and Innovation: We noted in our FY13 Annual Report the importance of managingknowledge as a strategic asset at the portfolio level. The institution has historically managed knowledge in anunstructured way, resulting in missed opportunities to maximize the Bank Group’s value proposition. Fragmentedknowledge management systems have not supported the production, capture, curation, and flow of knowledge.Other contributing factors include lack of incentives in building a culture that values knowledge and under-investment in knowledge governance. Management has underscored the importance of creating a new knowledgemanagement ecosystem that includes integration of technology and knowledge platforms as well as advocating“knowledge citizenship” to foster behavioral change. While the GPs are intended to strengthen the mobilization,flow, and sharing of expertise and knowledge that has been historically fragmented across geographic and sectorunits, the focus on “Science of Delivery” seeks to emphasize the use of evidence and metrics to continuouslymeasure, learn, and adapt as an organization. IAD’s FY15 Work Program includes a review to assess the processesfor delivery of knowledge products within the Bank.

6. Information Technology to deliver transformative change: Information Technology systems that connect staff toinformation, knowledge, clients, and to each other are critical to the implementation of the change agenda. Simpleand flexible IT solutions can be a significant “capacity multiplier” in fostering efficient and streamlined businessprocesses. Management has completed the extensive systems preparatory work underpinning the transition to thenew operating model with GPs and the CCSAs. As full implementation of the new operating model and othercomponents of the change agenda get underway in FY15, continued focus will be needed to upgrade and to adaptthe WBG IT infrastructure and network to enable connectivity and knowledge flows, including expanding bandwidth,migrating to cloud-based storage systems, and consolidating and harmonizing data and analytics for corporate-leveldashboards. The renewal of IT infrastructure in a resource-constrained environment, based on strategic businessobjectives and effective needs-based prioritization, will need to be an area of focus. There are a number of areaswherein technologies and/or applications could be leveraged in a potentially more integrated manner. Differencesstill exist between the Bank and IFC in the understanding of IT roles and responsibilities in Country Offices, securityconfigurations, change management, and the oversight and monitoring of processes to manage IT platforms. Theongoing Information Technology Integration initiative, which includes the process convergence work, offers anopportunity to consolidate IT infrastructure. IAD’s audit results indicate significant progress made by managementin the information security area, with the implementation of its next generation cyber-security strategy to protectinginformation assets. On a broader scale, there is a need for better alignment of the information security strategywith institutional risk appetite, in order to determine the options and levels of risk management. The extent ofBoard involvement in the overall governance and oversight of IT related risks also needs clearer articulation. IAD’s




FY15 IT coverage is designed to strike a balance between emerging areas of focus, such as Cloud ComputingInfrastructure and Integration, and the Joint Cash Management System, as well as coverage of mature processessuch as those relating to IT identity and access management, and database management.

7. Talent Management and HR Reforms: Improving talent management is indispensable to creating and maintaininga capable and committed workforce to deliver on the WBG strategy. A systematic corporate management of staffingpractices throughout the World Bank Group is also important to: (i) align staffing with strategic priorities , forexample, through the GPs and the new strategic budget planning process; (ii) achieve efficiencies, throughredeployment and reassignment of staff that will be applicable across the Group including IFC and MIGA. The recentmeasures introduced around “employment controls” are intended to promote and preserve institutional efficienciesand to ensure staffing growth is solely driven by business needs. Management’s planned implementation of HRreforms are intended to focus on (a) improving managerial effectiveness; (b) proactively managing careers andtalent; (c) rewarding and recognizing staff differentially on the basis of their performance and skills; and (d)leveraging the WBG’s global workforce. Building a culture of performance and accountability will be equallyimportant in delivering on the WBG Strategy. Management is working to align staff and unit objectives to corporatepriorities and to introduce a new performance rating system to reward performance, results, and behaviors. HR’scapacity to support the various aspects of the current reform agenda and the successful design, sequencing, andexecution of reforms across the entire suite of HR areas (strategic staffing, compensation and benefits, talentmanagement, performance, leadership and managerial development) will constitute a foundational pillar of thechange process. IAD’s FY15 Work Program includes specific reviews to assess: (i) the effectiveness of changemanagement processes in the context of the new operating model; and (ii) post-implementation of business processchanges within the HR PeopleSoft system.

8. Culture and Incentives: The significance of institutional culture for successful execution of the WBG Strategy andimplementation of the change agenda cannot be overstated. While structure is important, culture is paramount insuccessfully implementing the change agenda. The institution’s ability to deliver on its strategy and reform itsprocesses will, to a very large extent, hinge on the extent to which management and staff behaviors are aligned withcore aspects of the change process (e.g., Working as One World Bank Group, willingness to take informed risks,candidly discussing problems and failures in order to foster institutional learning, focus on solutions that work etc.,).Any misalignment between the existing incentive/reward systems could jeopardize the success of the reformagenda. For example, for the new unified risk management framework within Bank operations to be effective,management will need to articulate how the new framework incentivizes candor in reporting project level risks andin fostering risk-informed decision making. Sustained commitment to culture change will be necessary to makechange stick, as changing institutional culture is admittedly a medium to longer term process.

This also requires a culture of openness where staff can both express new ideas and be critical of changeimplementation methods without fear of retaliation, and a strong internal justice system to support that culture.WBG Management has expressed a clear intent to undertake a program of cultural transformation to encouragenew behaviors among leaders and staff, including collaboration, decisiveness, informed risk-taking, results focus, andresponsibility to create and share knowledge. Fostering a deeper understanding of the importance of shifting culturethrough staff engagement and through the role modeling of desired behaviors by leadership will send a strong signalthat culture change is indeed taken seriously and will set the tone for behaviors across the institution. Formal(performance evaluation) and informal (recognition) incentives should also help reinforce these messages.




In summary, the current reform agenda, if successfully implemented, has the potential to open up a number ofsignificant opportunities for the WBG. Effective operationalization of the various elements of this reform agendawould undoubtedly position WBG to make significant headway towards the achievement of its new goals. Yet, thissuccessful operationalization will also require continued attention to the equally significant challenges that inevitablycome with any ambitious reform of this magnitude, as highlighted in this report:

Clarity of roles and responsibilities to drive strong accountability, and effective rules of engagement betweenthe different business units (GPs, Cross Cutting Solutions Areas, Regions, etc.) to support the implementation ofthe new operating model;

Strong incentives and effective mechanisms for collaboration within the WBG entities while carefully managingpotential conflicts of interest, and better leveraging of synergies across bank group entities to fully realize thebenefits of an integrated model;

Clear delineation and understanding of both risk appetites and accountabilities for managing risks within thoseappetites;

Design of a reward system and incentive mechanisms to promote the cultural changes that must underpin anysustainable reform of the institution;

More effective alignment of partnerships and external funding with the institution’s strategic priorities, alongwith more streamlined processes with the various donors; and

Quality of data and effective management information systems to support timely and effective decision-making.

On a closing note, while management needs to build on the momentum and maintain the sense of urgency aroundthe key reform areas, it will be equally important to maintain focus on quality of operations and responsiveness toclient needs. The implementation of the change agenda will require the organization to make decisions based onimperfect information, assumptions, and estimation. Thus, course corrections will be needed along the way, whichare normal and expected with any major reform process. However, for this approach to yield long term success,effective monitoring and feedback mechanisms need to be carefully designed to continuously assess in a timely and,even more importantly, in a candid manner what's working and what's not working and to make necessaryadjustments on a real-time basis as better information becomes available. Effective implementation of the WBGStrategy will also require business processes to be simplified and streamlined to foster continuous improvement andto make it easier for task teams to serve clients. OPCS is working with a cross-functional Bank team to develop anaction plan for simplification, based on staff input received through a crowd-sourcing exercise. The implementationof the action plan is being closely monitored by management, with regular updates provided by OPCS. From a




governance and role clarity standpoint, it will also be important to ensure clear ownership for each of the changework streams. Management’s Integrated Project Management Plan (IPMP) is a welcome step in establishing anoverall monitoring and evaluation framework for measuring progress against the change objectives, by “unpacking”the change objectives into actionable deliverables and milestones. The President’s Delivery Unit (PDU) has also beenconstituted with the objective of monitoring the institutional focus on selected key indicators for results

measurement.

IAD looks forward to working collaboratively with Senior Management and the Audit Committee during FY15, as theinstitution moves forward with the implementation of the WBG Strategy.

Hiroshi Naka

Vice President and Auditor General




The World Bank Group (WBG)’s Management team welcomes the FY14 Annual Report on the Internal Audit VicePresidency and appreciates the forward looking approach of IAD’s views on the challenges facing the institution as itstrengthens the new structure and operating model to achieve our goals of ending extreme poverty and promotingshared prosperity. Management recognizes that leadership direction, sustained commitment to the vision, and rolemodeling of desired behaviors and values will be vital to success, as is putting in place the structures, processes andincentives to enable staff to perform to their highest potential and deliver for our clients.

As noted in IAD’s comments, the WBG is at an early stage of implementing the new operating model and embeddingthe new structures, processes and procedures will take time. Management’s comments below focus on IAD’squalitative comments of the FY14 Annual Report.

The WBG strategy builds on the important foundation set by recent reform efforts, including the modernizationagenda, IFC 2013 and MIGA’s strategy review. The three key elements at the core of the WBG’s Strategy are:

Tackling the biggest challenges — strengthening the focus of country programs through a more evidence-basedand selective country engagement model, while supporting complementary regional and global engagementsnecessary to advancing the WBG goals

Becoming the “solutions WBG” — establishing global practices, undertaking more joint projects and businessplanning, and scaling up knowledge and innovation as key accelerators toward the goals

Working through partnerships — building on existing collaborative relationships, further leveraging privatepartners, actively engaging civil society, and strengthening strategic alignment of trust funds and partnershipprograms with the goals.

Management agrees that while collaboration and cooperation across the WBG and organizationally units isparamount to successful implementation of the strategy, clarity of roles and responsibilities together with clearaccountabilities is equally important. An important development to address these challenges is the implementationof the WBG Corporate results framework and Scorecard to help monitor progress and take early corrective actionwhen needed.

The introduction of the new risk management framework for operations, which is progressively being rolled outacross all instruments and operations, is an important element of Management’s focus on informed risk taking andstreamlining of processes. The recently formed Risk Advisory Group for high risk operations is establishing cleareraccountabilities, and a series of action have been/are being taken to improve and streamline business processes(e.g. simplification, ADM, streamlined coding).

Management recognizes that getting work done under the new operating model will require greater collaborationamong a more diverse group of people performing new tasks, in more locations, under greater expectations. Tosupport this new approach, Management is encouraging and enabling wider staff networks and connectivity whileproviding a strong sense of direction, implementing integrated workflows, and leveraging technology and aligningincentives.

As highlighted by IAD, while maintaining the sense of urgency around strengthening the new operating model, it willbe equally important to maintain focus on quality of operations and responsiveness to client needs. Managementrecognizes the complexity of the change agenda and the challenges that come with it and welcome the future IADaudit and advisory reviews that are planned to provide observation, empirical evidence and assessments that areplanned in support of the efforts to strengthen the WBG.

3. Management Response to the IAD FY14 Annual Report

Management Response


The audit of the WBG Records Management coveredthe governance framework and technology solutionssupporting the records management program as wellas monitoring and training practices. The audit notedsignificant progress made in recent years, including (i)development of records management directives; (ii)implementation of a documentation managementsystem (WBDocs and IFCDocs); (iii) establishment ofdedicated records management teams in both IFC andMIGA; (iv) launch of training courses; introduction ofemployee incentive programs; and, (v) communicationof qualitative metrics. However, despite this progress,the WBG’s records management program hasconsiderable scope for improvement in the areas of:(i) consistent practices across units; (ii) effectivemonitoring of the program; (iii) representation andmandate for the primary governance body; and, (iv)accountability to manage the program. The ability toeffectively manage records is also hindered by thelimited search capabilities in the electronic recordsmanagement systems. Management will reassess andredefine strategies to increase adoption of the recordsmanagement program, to strengthen the governancefunction, the linkage between defined metrics andresults, and to foster better accountability andenforcement.

The audit of the WBG Open Data Initiative coveredmanagement practices supporting the Open DataInitiative (ODI), and highlighted the existence ofsufficient risk management and control processes overthe ODI, clear criteria for releasing data in openformat, and effective controls to ensure that the databeing released meets the requirements of being open,accessible and searchable.

The Bank’s Access to Information Policy forms thebasis for an ‘open by default’ approach, which is aleading practice. The Open Data ‘terms of use’effectively safeguard the WBG interests by clearlydefining the open license for datasets, attributionrequirements and exclusion of liability associatedwith the use of the data provided. Althoughconsiderable achievements have been made in eachstated strategic objective of the ODI, it is difficult toascertain the level of progress against objectives, asspecific milestones are not defined. The Open DataWorking Group has worked well as a ‘coalition ofthe willing’ since the initial start-up phase of ODIuntil now, but it needs clearer and specific authorityas a governance and oversight function to ensurebroader participation across the World Bank Groupgoing forward.

The objective of the audit of the WBG InternalNetwork Security was to determine whether: (i)governance processes have been established; (ii) theinternal network architecture is securely designedand implemented; and (iii) controls are in place tomonitor and respond to network availability issues.The audit concluded that the WBG internal networkis secured through multiple technologies andcontrols, including but not limited to, centralizednetwork device management, network accesscontrol, intrusion detection and security monitoring,and network segmentation. While IADacknowledged that management has made asignificant effort over the past few years to improvesecurity of the internal network, it also notedexisting control weaknesses in the maintenance of

World Bank Group

4. Summary of Audit Results

IAD’s FY13 audit of the Bank’s Corporate Budget Process contributed to institutional actions to enhance theusefulness of the budget as a strategic tool, including: (i) greater linkage between budget allocations and strategicpriorities, (ii) formulation of metrics to guide and assess reasonableness of budget allocations, (iii) informedconsideration of external funds in budget decisions, and (iv) clearer delineation of the roles and authority of thecorporate budget unit. The report informed Senior Management’s reform efforts in designing and rolling-out a newstrategy-driven budget process during FY14, under the oversight of the Managing Director and WBG CFO.

Contribution to Institutional Change Priorities


the WBG internal network security. The IT integrationproject will address harmonization of remainingdifferences between the Bank’s and IFC’s networksecurity controls. Management will continue to seekopportunities to strengthen the WBG internal networksecurity.

The objective of the audit of the WBG UNIX ServerPlatform was to determine whether: (i) effectivegovernance processes have been established; (ii) Unixservers are configured securely; and (iii) systemchanges and patches are implemented effectively.The audit showed that the WBG has implemented anumber of controls to secure the Unix serverenvironment. These controls are defined within theUnix Server Security Standards. The audit also notedthe existence of issues stemming from the overallgovernance environment that increase the risk thatthe WBG’s critical assets are not being secured in amanner that is consistent with management intent.ITS management has agreed to undertake a review ofthe existing governance structure for managing Unixservers, develop a plan to revamp and strengthen theasset management process, and has taken action toensure that the security issues noted in the Unixservers have been remediated.

The objective of the audit of the WBG Cyber ThreatManagement and Preparedness was to determinewhether: (i) processes have been established togovern the management of cyber threatpreparedness; (ii) the WBG has developed a strategicand intelligence-driven approach to understandingcyber threats; and (iii) capabilities are implementedfor identifying and containing cyber threats. The auditnoted that the WBG Office of Information Security(OIS) has made a significant effort and investment inthe area of developing and improving cyber threatmonitoring and response capabilities to strengthenWBG’s overall security posture. The InformationSecurity Operations Center (iSOC), established by OIS,operates on a 24/7 schedule and provides securityincident monitoring and response capabilities. Theaudit also highlighted that the controls and processes

related to cyber threat monitoring and response forthe iSOC are designed and operatingeffectively. Though no significant issues wereidentified during the audit, IAD noted areas to furtherimprove cyber threat management and preparednessmaturity and effectiveness.

The objective of the audit of WBG Country Office (CO)IT Operations was to determine whether: (i)governance over CO IT operations and processes tomanage IT infrastructure and assets are adequate tosupport the country office business needs; (ii) CO ITfacilities, infrastructure, and assets are secure; and (iii)CO IT expenditures are effectively managed andmonitored. The audit did not identify any significantcontrol weaknesses in the IT operations of COs, andnoted that the IT infrastructure in COs, while limitedby design, is well managed. The audit noted,however, that with the ITS integration and plannedtransition of CO IT teams to a new centralizedreporting structure, effective FY15, ITS Client Services(ITSCS) has an opportunity to further break the silos,reduce redundancies, and increase knowledge sharingbetween the Regional IT teams to ensure their clientsin country offices are being served effectively.

World Bank Group (contd.)


IAD’s review in FY13 of the Bank’s OperationalFramework for using Investigation Results inBank-Funded Projects highlighted the need forconsistent flow of investigation-related feedbackinto Bank operations, as well as effectivecorporate oversight arrangements. Managementhas since clarified the working arrangementsbetween INT, OPCS and Regions, includingprocesses and accountability for developmentand monitoring of action plans addressing INTinvestigations. Implementation of the workingarrangements in FY14, also includes annualdiscussions of the main issues arising from finalinvestigative reports and action plans, and theissuance of an annual report. A more structuredprocess for identification of projects with highF&C risks has also been implemented.



The audit of the Bank’s Management of Legal Riskscovered the roles and responsibilities in themanagement of the Bank’s legal risks, the riskassessment process, and the process to manage thepreparation of legal contracts, along with otherrelated topics. The audit noted that the Bank haseffective processes in place to identify, monitor, andmitigate legal risks in its operations and activities. TheBank’s legal department is effectively involved in theidentification and mitigation of legal risks, includingensuring that the Bank’s immunity is effectivelypreserved, and its interests are safeguarded.

The objective of the audit of the Bank’s Managementof Fees for Reimbursable Advisory Services (RAS) wasto assess the effectiveness of existing governance andcontrol processes and the design of planned controlimprovements. The audit highlighted thatmanagement has been proactive in the self-identification of issues relevant to RAS.

Many control improvement measures to standardizeand streamline processes were either in progress orcompleted at the time of the audit.

The audit also noted that while the existingmanagement-level controls mitigate key risks withinthe process for the current scale of the reimbursableadvisory services operations, there is a need toensure that a holistic set of effectively designed andconsistently implemented institutional controls are inplace for the management of fees for the RAS.Management has agreed to implement aninstitutional costing methodology and facilitateSenior Management discussions on holistic portfoliolevel assessments of the RAS business line as part ofthe business planning process.

The objective of the audit of the Management ofIneligible Expenditure of Investment ProjectFinancing was to assess the governance, riskmanagement, and controls over the processes for: (i)reviewing potential ineligible expenditures; (ii)deciding on legal remedies when ineligibility has beenconfirmed; and (iii) reporting ineligible expendituresto relevant parties. Adequate controls are in placeover the processes used by regions and Controllers’(CTR) to review ineligible expenditures and analyzethe underlying root causes at the project level.Trends and lessons learnt have been captured anddisseminated at the regional level and fed intoexisting and future operations. The audit alsohighlighted the need to increase efficiency ofineligible expenditure management by prioritizingreview of potential and confirmed ineligibleexpenditures in view of attaining a good balancebetween costs and operational benefits. It alsonoted that compiling the information of ineligibleexpenditure at an institutional level will streamlinecommunication among units involved.

IBRD/IDA


IAD’s FY12 review of the Bank’s Policies andProcedures Framework focused on the overallpolicy architecture, including the ownership ofpolicies and procedures, processes for thedevelopment of new and significant revisions toexisting policies and procedures, implementationprocesses, policy retirement and archiving. Thereview highlighted the need for SeniorManagement sponsoring the development of asingle WBG Policy and Procedures Framework,including establishment of the requirements andresponsibilities for the development, approval,communication, implementation and review of allpolicies and procedures. The engagement resultshelped inform the development and roll-out of anew group wide Policies and Procedures (P&P)framework, by the Legal Vice Presidency, withclear distinction between mandatoryrequirements and optional guidance.



The objective of the audit of IBRD’s Net IncomeProjection Process was to evaluate and assess theadequacy and effectiveness of: (i) governance over theprojection processes including roles andresponsibilities; (ii) use of projections as a tool tofacilitate the Board's year-end income allocationdecision-making, and to provide information regardingfuture direction of net income for corporate planningpurposes; and (iii) processes for projecting incomefrom various sources, such as loans and investments,and expenses. The audit noted that the design andimplementation of controls over IBRD’s net income

The objective of the audit of the IFC’s CorporateScorecard was to evaluate IFC’s Corporate Scorecardand to assess the adequacy and effectiveness of: (i)the governance structure, including roles andresponsibilities; (ii) linkage of scorecard indicators tothe institution's strategic priorities; and (iii)Management’s use of the corporate scorecard as atool for results measurement. The audit highlightedstrategy formulation process setting specific corporatepriorities that are reflected in the core scorecardindicators. The framework includes a robust cascadingprocess that links the strategic focus areas in thecorporate scorecard to the operational targets at the

projections are adequate for their current use,purpose, and intended objectives. Controls are inplace that help ensure accurate, complete and timelyreporting of the projections along with the underlyingassumptions to support the Board in income allocationdiscussions and decision-making. In addition, at theoperational level, sufficient data validation controlsare in place to ensure quality and reliability of thereported net income projections. The audit outlinedcertain efficiency and effectiveness related aspectsthat would contribute to the future use of theseprojections by the institution.

Vice President and Director levels, which are thentracked in separate but related departmentalscorecards. In addition, IFC has establishedappropriate incentive mechanisms by setting upvariable reward programs that provide additionalcompensation to business units that meet or exceedtheir indicator targets. Notwithstanding thesestrengths, the audit also highlighted weaknesses inIFC’s scorecard process as it relates to facilitation ofdialogue with the Board, nature of metrics to trackdevelopmental impact, alignment across IFC businesslines and administration of the scorecard.

IBRD/IDA (Contd.)


IAD’s FY13 advisory review of the Bank’s Funding of “Below the Line Grant-Making Facilities” evaluated the Bank’sbudget allocation to five grant-making facilities, and highlighted that these allocations had been based on historicalprecedent, and not fully reassessed at the time of annual renewal. At the facility level, the absence of establishedfinancial management practices impedes comparative assessment of funding needs. This review provided animportant input to management’s budget discussion of the “below the line” budget and Bank-funded grant makingfacilities. Management and the Board decided to eliminate the concept of “above the line” and “below the line”budget items effective FY15, and phase out the Bank’s financial contributions to grant-making facilities.


IFC


The objective of the audit of IFC’s NomineeDirectorship and Fund Committee Membership wasto evaluate and assess the: (i) overall governanceframework; (ii) process for identification and selectionof candidates; (iii) performance monitoring andreporting; (iv) directorship fees and expenses; (v) legalrisk management and (vi) related informationtechnology controls. The audit noted that robustcontrols are in place to analyze and manage potentialconflicts of interests within directorship assignments,ensure compliance with relevant local laws, and coverpotential legal liabilities to IFC and Nominee Directors.Given the fast growth of IFC’s equity investments aswell as the increased strategic relevance of the rolethat Nominee Directors play in enhancing thedevelopment mandate, further strengthening isrequired in the areas of independent performancemonitoring, clarification of the roles that NomineeDirectors can play in addition to their fiduciary role,establishment of processes for continuous monitoringof procedural restrictions and enhancement ofcontrols for timely renewal of Directors’ and Officers’(D&O) liability Insurance.

IAD’s audit of IFC's Management of FundingOperations, assessed: (i) the governance structure; (ii)funding strategies and process for issuance of debt;(iii) trade execution, verification, confirmation andsettlement process; (iv) cash reconciliation and tradeaccounting; and (v) debt servicing, buybacks, callmonitoring and trade terminations. The audit notedthat controls over IFC’s funding operations are

adequately designed, operate effectively, and thecurrent governance structure supports managementoversight over the funding operations. Although thereis a robust governance structure and operationalcontrols are operating effectively, the audit identifiedopportunities to enhance process documentation andsegregation of duties; and to improve efficiencythrough increased automation in the debt servicingprocess.

IAD’s audit of Environmental and Social (E&S) RiskManagement in IFC Projects covered IFC’s E&S riskmanagement for investment and advisory servicesprojects. The audit noted that IFC has strongprocesses in place to identify, manage and monitorE&S risks, with a clearly defined and publicly availablerisk framework. The E&S risk management process isled by a department of technical experts, CES, who areresponsible for conducting due diligence, advisingclients on how to mitigate E&S risks, and supervisingprojects' E&S performance over time. CES also hasprocesses in place to monitor the institution'scompliance with E&S procedures and to continuouslyimprove implementation of the SustainabilityFramework. The audit noted some areas forimprovement related to the January 2012 update ofIFC's Sustainability Framework, including the Access toInformation Policy (AlP). IFC management has, inmost cases, already recognized the need to addressthe identified weaknesses and has initiated efforts to

strengthen controls.


IFC (Contd.)

IAD’s FY12 IAD’s audit of the Management of Integrity Due Diligence (IDD) in IFC's Projects assessed whether IFC hasa robust IDD process for investment and advisory projects. The audit showed that IFC management has paidincreased attention to integrity risk and developed an improvement plan, which introduces a more systematicapproach to risk identification with a view to ensuring that all projects with a high integrity risk are identified andreferred to IFC’s Integrity and AML/CFT unit. However, the plan did not include effective oversight of the businessunits’ rigor in adhering to IFC’s corporate principles on integrity risk management. Management has sinceimplemented a more robust oversight process to address the weaknesses identified in the audit.



The audit of MIGA Process for Pricing Guaranteescovered: (i) the governance framework for guaranteespricing; (ii) the pricing methodology and calculations;(iii) the pricing/costing model; and (iv) thedevelopment and vetting of underlying assumptions.The audit highlighted that the design and

implementation of controls within MIGA’s guarantee

pricing process are effective. A framework exists forsetting guarantee premiums with defined objectivesfor pricing, and the principles that drive premium andfee setting are established in the Board approvedMIGA Operational Regulations.


MIGA

IAD’s FY13 audit of Environmental and Social Safeguards Risk Management in MIGA Projects highlighted thatalthough MIGA had adequate controls in place to identify and assess environmental and social risks in theunderwriting process, its related risk monitoring of existing projects was not systematic and organized. Informationabout monitoring activities was not always accurate, and key project documents were difficult to locate due to theabsence of an effective record management system. Since the audit, management has strengthen monitoring byredefining process and introducing a more disciplined approach to tracking implementation of environmental andsocial action plans. In addition, in the spirit of the One WBG approach, MIGA updated its standards and harmonizedthem with the E&S standards of IFC, since both entities interface with the private sector.



The objective of the advisory review of the WBGInformation and Technology Solutions (ITS)Integration – Risk Management, was to provideguidance to the newly integrated ITS security and riskmanagement’s group on oversight of integration-related risks. The advisory team: (i) provided a holisticview of the organization’s risk methodologies andshowcased the differences and similarities betweenthe Bank and IFC practices; (ii) created an inventory ofthe current state of risk management capabilities andcompared them to the industry leading practices andthe core components of an efficient risk managementframework; (iii) identified and documented high-levelobservations and gaps; (iv) developed detailedrecommendations for the future state of the ITS riskmanagement; (v) developed tools and templates tosupport ITS risk management activities going forward;and, (vi) advised on industry leading practices andrecommended key risk indicators to appropriatelytrack risk levels.

The objective of the advisory review of WBG CloudComputing was to determine whether: (i) processeshave been established to govern the management ofthe cloud computing environment; (ii) ITS hasdeveloped an approach to evaluate cloud computing

use cases and vendor cloud solutions offerings; and(iii) key requirements for addressing risks related tosecurity and data protection are considered prior tocloud implementation. The review noted thesignificant effort and investment the WBG has madeover the past year to establish foundationalcapabilities to adopt cloud solutions, including the: (i)establishment of a governance structure to manageand facilitate adoption of cloud solutions; (ii) creationof risk assessment framework to manage cloud-related risks; and (iii) recognition of the need to investin enhancing and building unique cloud competencies.The review’s key recommendations included: (i)development of a three-year strategy to build a cloud-enabled target state environment; (ii) development ofcloud reference architectures to execute the multi-stage roadmap and achieve the target cloud operatingmodel; and (iii) enhancement of the effectiveness ofrisk assessment processes and development of avendor risk management program. Additionally, giventhe dynamic technology landscape of cloudcomputing, management should continue to maintainits focus on further strengthening governanceprocesses and execution of the Cloud-First approachat the WBG.

Advisory Reviews

5. Summary of Advisory Work

With a view to supporting the Bank’s broader expenditure reviews, in FY14, IAD performed fact-based efficiencyreviews during the quarter, in the areas of (i) fiduciary risk management in Bank operations and (ii) the Bank'sResource Management (RM) function. The reviews were designed to support management's effort to identifyareas of efficiency gains, by providing an objective fact-base on the current state environment. The scope of workon the fiduciary piece entailed a specific focus on opportunities for efficiency gains in key fiduciary activities - such asthe Bank's procurement prior and post reviews, review of FM external audit reports provided by borrowers, andController's disbursement processes. The RM review covered the organizational structure and service deliverymodel of the function with a view to identifying opportunities for leveraging economies of scale through bothstructural consolidation and process simplification. IAD's analyses were provided to the relevant stakeholders tohelp inform Senior Management decision making in these functional areas.


In addition to its audits, IAD conducts advisory reviews, which provide management with guidance on risk and controls and are typically focused on new and developing processes and systems.


The objective of the Overview of the Bank's ResourceAllocation Process for Project ImplementationSupport was to provide a fact base to support theBank's current institutional change initiative as SeniorManagement thinks through a revised approach tomanaging risk in operations. The review highlightedsimilarities and differences in Regional practices: inthe use of portfolio risk information to allocatemonetary resources to individual projects;arrangements for responding to changing operationalneeds; and, management's monitoring of resourceusage. IAD presented a high level analysis forconsideration by Senior Management as it creates anew suite of risk measures and decision-makingprocesses for operations.

The objective of the advisory review of theDisbursement Assurance Framework (DAF) was toevaluate the effectiveness of the DAF in enabling theWorld Bank disbursement unit to gather all relevantfiduciary risk information, make fully informeddecisions, and identify areas for improvements. Thereview highlighted that the direction of the DAFconcept is consistent with the institutional shift to risk-based approach to internal control activities. IADrecommended that management enhance the designof the framework to increase tangible benefits interms of both efficiency and additional assurance; andfurther clarify risk definitions, risk attributes, andcriteria for risk rating.

The objective of the advisory review of the Bank’sOversight of Costs and Expenditures of PartnershipProgram Management and Administration (PMA)was to: (i) review existing controls over costs andexpenditures of PMA functions; and (ii) providespecific recommendations to Management forimproving the existing practices. The review notedthat the significant growth of the partnership programportfolio has resulted in inconsistencies in the internalarrangements for PMA across the partnershipprograms. PMA units were created on a case-by-casebasis to meet the specific needs, but without clearBank-wide standards. This resulted in differentpractices in the costing, funding, and reporting of PMAunits, making it difficult to quantify all PMA costs,compare and contrast them across PPs, and determinetheir reasonableness. IAD recommended that goingforward, management needs to enhance the codingand resource management approach to PMAfunctions. Management committed to developingfurther guidance for PMA, recognizing that theresponsibility for follow-up on some of therecommendations may shift with ongoing changes inBank operational structures.

Advisory Reviews (contd.)


IAD’s FY13 advisory review of the Integration of the WBG Information and Technology Organization (IMT) facilitated the transition to the integrated IT organization, by providing a stock-take of the current state Operating Model across the information technology units of the Bank and IFC, including assessing the key similarities and differences across major functions and capabilities between the two units. The review also provided an analysis of the target operating model alternatives and the related trade-offs. The review results were a key input to facilitate the successful deployment of the new integrated organization in FY14.



The objective of the advisory review of the IntegrityVice Presidency Independent Advisory Board (IAB)was to assess the organization of the IAB, itseffectiveness and continued adequacy of itsmandate. The review concluded that the IAB hasaccomplished the various tasks it was requested toundertake, and has advised the President and theAudit Committee on the function of INT and otherrequested topics, and provided continuousassessment of INT’s performance. IAB has served as atrusted independent advisor to INT management andhelped steer the function. In contrast, the views ofregional units and other units that interacted with IABhave been mixed with respect to the usefulness of IABto the institution. The IAB’s effectiveness has alsobeen affected by the weaknesses in the design of itswork processes such as the lack of an institutionalforum to discuss IAB recommendations involvingoperational units, lack of a feedback loop to IAB, andthe absence of systematic response to IAB’srecommendation within management.

The objective of the advisory review of the Bank’sEnvironmental and Social Risk Management was toassess the Bank's environmental and social riskmanagement practices with a focus on: (i)environmental and social risks’ identification andresponse; (ii) monitoring of the implementation ofmitigation measures, and tracking of environmentaland social risks throughout the project lifecycle; (iii)accountability arrangements and management’soversight of environmental and social riskmanagement; (iv) the resources for environmentaland social risk management including the allocation oftechnical experts; and (v) the standards set forenvironmental and social development specialists’technical training. The review identified improvementopportunities in the Bank’s practices forenvironmental and social risk management related toinstitutional instructions, assignment ofresponsibilities, integration between budgetingdecisions, activity planning, and staffing, andinstitutional authority to make top-down decisions.

The objective of the advisory review of OperationalRisk Assessment Framework (ORAF) was to: (i) review

the implementation of ORAF with a specific focus onits use and effectiveness as a risk management tool;and (ii) review the constituent elements (culture,systems and tools, structure and organization)underpinning the architecture of the new unified riskframework, informed by IAD's analysis of the lessonslearnt from the ORAF implementation experience.The review noted that the intent and conceptualunderpinnings of ORAF were sound and that theframework was designed to promote a structured anddisciplined approach to risk identification, assessment,and mitigation. However, ORAF could not besuccessfully operationalized due, in large part, to thelack of incentives for its use and the consequences ofits use. The review also noted that althoughmanagement has recognized the significance ofculture, tools, and structure in the new framework,there is a need to factor lessons learned from ORAFinto the design and implementation of the newframework. IAD provided management with ananalysis of lessons learned, key takeaways andconsiderations going forward.

In the Status Memorandum on IFC’s Management ofMarket Risks in Equity Portfolio, IAD reviewed theanalysis performed by IFC’s management to supportthe decision to accept the price volatility and thevolatility of the foreign exchange in its equityinvestments. IFC's Corporate Risk Committee (CRC)approved the 'Equity Risk Policy Framework’,acknowledging that risk acceptance posture. IADobtained and reviewed the management analysisunderpinning the risk acceptance decision andoverarching conclusion leading to the approval of the“Equity Risk Policy Framework”, but since the new andapproved framework introduced no new processes orcontrols deemed auditable, no audit procedures wereperformed. IAD recommended that management: (i)establishes processes for ongoing measurement,monitoring and analysis of risk, (ii) ensures periodicreporting to Senior Management and the CorporateRisk Committee on the results of the periodic re-assessment, and (iii) communicates risk acceptancedecisions and underlying rationale therefor to theAudit Committee.

Advisory Reviews (contd.)



6. Methodology and Professional Practices

In accordance with IIA Standards, IAD establishes risk-based plans taking into account the World Bank Group’s risk management framework.

The Institute of Internal Auditors’ InternationalStandards for the Professional Practice of InternalAuditing (“the Standards”) emphasize top-down, risk-based planning consistent with the organization’sgoals, taking into consideration the input of SeniorManagement and the Board. Internal audit planningneeds to make use of the organizational risk

management process and consider the mostsignificant risks of the organization in determiningpriorities for allocating internal audit resources. (IIAPractice Advisory 2010).

IAD’s risk assessment process is consistent with IIAstandards. Figure 1 describes the principles on whichIAD bases its annual risk assessment.

IAD’s Risk Assessment Principles

Figure 1: Principles for IAD’s Risk Assessment

Management’s view of risks

InstitutionalPriorities

Principles of Risk Assessment

1. Risk assessment is aligned to WBG strategy. The objective of the process is to identify and prioritize potential audit areas that pose the most significant risks to the WBG and could prevent it from achieving its goals and objectives.

2. IAD’s focus is on high-rated risks. The approach undertaken recognizes that audit resources are limited, which prohibits 100% coverage of all areas each year. The Work Program will aim to cover most of the high risks areas each year.

3. IAD must evaluate the effectiveness, and contribute to the improvement, of WBG’s risk management processes.

Principles of Risk Assessment

4. In addition to engaging with key stakeholders, risk coverage is coordinated with other oversight units.

5. Risk assessment is a continuous activity. When changes occur and risks shift, IAD adjusts its Work Program to stay aligned. IAD communicates its risk assessment results to the Audit Committee, including how emerging risks have been addressed.

6. Professional judgment is an important component of the risk assessment process. The quantitative and qualitative factors used to evaluate and prioritize risks are periodically evaluated in order to ensure relevance in the risk assessment process.

IAD’s FY14

Annual Work

Program

Ongoing consultation with management

Results of IAD’s prior audits

IAD’s knowledge of risks & controls

Top-down approach

Bottom-up approach



Responsiveness to Institutional Changes – Risk Refresh Process

Mid-Year Risk Refresh: IAD conducts a mid-year riskrefresh to ensure that its Work Program remainscurrent. The risk refresh outputs are translated intoproposed changes to the Work Program.

Work Program Modifications: In addition to theformal and comprehensive mid-year risk refreshexercise, IAD also makes modifications to its WorkProgram in response to ongoing organizationalchanges and institutional requirements.

The objective, approach and output of IAD’s riskrefresh process shown below in Figure 2.

The audit universe and related audit plan areupdated to reflect changes in managementdirection, objectives, emphasis and focus. It isadvisable to assess the audit universe on at least anannual basis to reflect the most current strategiesand direction of the organization. In somesituations, audit plans may need to be updatedmore frequently (e.g. quarterly) in response tochanges in the organization’s business, operations,programs, systems, and controls.

Practice Advisory 2010-1 – Planning

The business case for the Work Program changes are deliberated by IAD’s Management Team and approved by the VicePresident and Auditor General. The proposed changes are communicated to Senior Management and the AuditCommittee through IAD’s Quarterly Results Report.

Objective

•Confirm that IAD's Work Program continues to be relevant taking into account changes in: (i) risk profiles including consideration of emerging risks; (ii) control environment; and, (iii) stakeholder expectations.

Approach

•High level validation based on a top-down strategic approach leveraging management’s view of risk, information from IAD reviews , board papers, emerging risk and control themes

Risk Refresh Output

•Proposed changes to the Work Program are deliberated by IAD’s Management Team

Figure 2: IAD’s Risk Refresh Process

Responsiveness to Institutional Changes – Advisory Engagements

Advisory and related client service activities, thenature and scope of which are agreed with theclient, are intended to add value and improve anorganization’s governance, risk management, andcontrol processes without the internal auditorassuming management responsibility.

Definition of Advisory Reviews by IIA

IAD’s core remit is to provide assurance on controldesign and effectiveness. However, IAD is activelysupporting Senior Management by increasing itsadvisory engagements to support WBG’sunprecedented Change and Reform agenda. Leadingindustry studies on the role of the Internal AuditProfession reveal that internal audit units areincreasingly looking beyond the core assurancemandate and aiming to provide increased value as atrusted advisor to the business, thereby drivingperformance improvement initiatives and helpingclose internal control gaps.



Responsiveness to Institutional Changes – Advisory Engagements (contd.)

Consistent with the IIA Standard 2010.C1, IAD’sWork Program is designed to include areasonable proportion of advisory reviews.

Advisory reviews provide management withguidance on risk and controls and are typicallyfocused on new and developing units, processesand systems. Advisory engagements aredesigned to be “preventative” in nature andassists management in developing appropriatecontrol frameworks.

The Chief Audit Executive should consider acceptingproposed consulting engagements based on theengagement’s potential to improve management ofrisks, add value, and improve the organization’soperations. Accepted engagements must beincluded in the plan.

2010.C1 – Planning Linkages to Assurance Work: IAD’s Advisory

Reviews, provide valuable knowledge, and assistin adding value and depth to its core Assurancework at a later stage. The early signals andinsights on emerging issues gained feed into itsAnnual Risk Assessment and Annual WorkProgram development.

Entity wide Knowledge sharing: IAD’s AdvisoryReviews, enable IAD identify and analyze issuesthat cut across the different Bank Group entities,and provide the Board and Senior Managementthematic reviews to leverage best practices andknowledge sharing.

Improved management of risk and operations:IAD acts as an in-house confidential businessconsultant for Management, which enablesbuilding trust and candor in Management’srelationship with IAD, and bringing issues to thesurface early, and allow for timely detection andintervention.

Figure 3 below has examples of high-impact advisories which IAD has conducted in FY14, and which have providedfact-based insights to inform Management decision making in executing institutional change initiatives.

Help Clients Tackle the

Most Important Challenges

Build Financial Strength

Deliver Transformative

IT

Work In Partnership

• Cloud Computing• WBG IT Integration• Diagnostic of Jointness among

WBG entities• Disbursement Assurance Framework• Partnership Program Management Cost• Overview of the Bank’s Resource

Allocation Process• ORAF• INT Independent Advisory Board• Safeguards Risk Management• IFC’s Management of Market Risk

in Equity Portfolio

IAD Advisory Reviews in FY14Change Objectives Change Objectives


IAD participates in an ongoing dialogue with itsstakeholders to understand emerging risk areas andareas of priority. IAD uses the results of theinstitution-wide annual risk assessment and risk scansto help inform its risk-based auditing approach. IADalso engages closely with the institutional risk andcontrol units, oversight functions, and the ExternalAuditors (KPMG) throughout the year, both at astrategic level, and during the course of planning andexecution of its Work Program. This ongoingcollaboration is a significant component of IAD’soverall risk assessment

approach, and helps IAD contribute to theimprovement of WBG’s risk management processes.Specific issues identified during IAD’s audits aremapped to relevant WBG risk areas and clusters, toenable aggregation and analysis of risk and controlthemes at the institutional level. The linkage of theaudit results to the underlying risk dimensions isreflected in IAD’s Quarterly Results Reports.

Figure 4 provides a snapshot of the distribution ofIAD’s audit results during the period of FY11-FY14 bythe WBG risk areas and clusters.

Figure 4: Distribution of IAD’s FY12-FY14 audit results by WBG Risk Taxonomy


Institutional Risk Management Processes


Management is responsible for the development of specific and time-bound action plans to address the issues identified by IAD.

IAD works closely with management to validate the robustness of the action plans, and the reasonableness of the timeline for implementation.

Managementimplements the agreed actions with a view to achieving timely closure of the issues.

IAD engages closely with management to follow-up on allthe issues as and when the implementation of the agreed actions, falls due.

IAD validates the completed actions by reviewing the evidence provided by management and by undertaking additional testing, where necessary, to form an independent view on the effectiveness of the completed actions.

IAD regularly reportsthe status of all overdue actions, by WBG entity, to Management and the Audit Committee.

1 2 3 4 5

During FY14, IAD has continued to strengthen its follow-up process, with the support of the Audit Committee and Senior Management. Specifically, IAD has helped contribute to a culture of accountability, by:

independently validating the robustness of the action plans formulated by management to address the issues identified in IAD’s reviews;

vetting the reasonableness of the implementation timeline established by management for resolution of audit issues;

providing more granular information to Management and Audit Committee on overdue issues. For e.g., presenting information on overdue issues, broken out by WBG entity, to better reflect the responsiveness of individual WBG entities in addressing outstanding issues; and

flagging specific issues for Senior Management and Audit Committee attention, where enough progress has not been made with respect to implementation of agreed actions.

IAD’s follow-up process is described in Figure 5 below.

Develop action plans

Implement action plan

Follow-up on action plans

Validate action plan completion


Figure 5: IAD’s Follow-Up Process

IAD’s Follow-Up Process

5Report

overdue actions



Communication with the Audit Committee and Reporting

Discussion of relevant engagement reports: The VicePresident and Auditor General (AG) has meetings withthe Audit Committee, as needed, to discuss all“Unsatisfactory” rated audits as well as specific“Needs Improvement” rated audits that warrant AuditCommittee attention, based on the significance andpotential impact of the issues. In addition, the AG alsohas frequent informal discussions with the AC Chairand AC members.

Discussion of significant policy changes: The VicePresident and Auditor General participates in AuditCommittee discussions involving policy changesimplemented by management that have beeninformed by IAD’s work (e.g., WBG Policy andProcedures framework, and IBRD CorporateScorecard).

IIA Insight: Delivering Value to Stakeholders: “……Insight is an end-product from internal audit’s work and involves ‘connecting the dots’…”

IAD’s Annual Report: IAD’s AnnualReport summarizes audit results forthe fiscal year and includes acommentary on broader themes.

IAD’s Quarterly Activity Reports:The Quarterly Activity Reportprovides a high level overview ofIAD’s quarterly activities andengagement results.

IAD’s Annual Report, which is a publicly disclosed document, includes a qualitative commentary on broader riskmanagement, governance and control themes, designed to provide valuable "insights" beyond individual engagementresults. These candid, constructive and forward-looking perspectives draw upon the sum total of IAD’s institutionalknowledge and understanding of business processes. These perspectives reflect ongoing challenges and emergingpriorities that require continued management attention.

IAD has raised the level of public disclosure by publicly disclosing its Annual Report, and also publishing a quarterlysummary of the results of all its engagements in its Quarterly Activities Report.

IAD’s Annual Risk Assessment andWork Program: IAD’s annual riskassessment and Work Programformulation process is designed todeliver a body of work that is relevantand well aligned with the strategicobjectives of the WBG. The WorkProgram document, describes IAD’srisk assessment principles, coverage ofhigh risk areas, linkage with changepriorities, and the consultationprocess, to provide a holistic view tothe Audit Committee of IAD’sapproach in developing the WorkProgram coverage.

2020 – Communication and ApprovalThe Chief Audit Executive must communicate the internal audit activity’s plans and resourcerequirements, including significant interim changes, to senior management and board for

Communication with the Audit Committee: IAD has several meaningful touch-points during the year with the AuditCommittee. Some examples are provided below.

review and approval. The Chief Audit Executive must also communicate the impact of resource limitations.


Coordination with WBG Oversight Units


The Chief Audit Executive should share informationand coordinate activities with other internal andexternal providers of assurance and consultingservices to ensure proper coverage and minimizeduplication of efforts.

IIA Standard 2050–Coordination

Input to Risk AssessmentConsiderable progress has been made in moving away from an informal and ad-hoc collaborationto a more disciplined and systematic approach, both in terms of better coordination and exchangeof relevant operational information for IAD’s annual risk assessment and Work Programformulation. In FY14, IAD built on the practice of sharing and discussing its Work Programproposals at an early stage of IAD’s Work Program formulation exercise to maximize leverage.

Improved collaboration IAD has pro-actively engaged with IEG and INT in the course of itsengagements to utilize their existing bodies of work, and/or technical expertise. In FY14 this wasachieved through: Ongoing meetings and collaboration at the engagement level as required, toshare information across Work Program areas.

Knowledge sharingIn FY14 this was achieved through: Quarterly meetings of the Principals of IAD, IEG and INT (andPrincipals of Accountability Units - IPN and CAO) to discuss common issues of strategic importance;IAD also reviews all Final Investigation Reports (FIR) from INT and analyzes control themes toinform its own continuous risk assessment.

Benchmarking and Sharing Best Practices

IAD routinely benchmarks its processes and methodologies with leading practices, and shares best practices with otherMDBs and peer groups. IAD participates in a number of global internal audit best practice studies, including thoseconducted by the Institute of Internal Auditors (IIA) - the Chief Audit Executive (CAE) Roundtable Survey and the GlobalAudit Information Network (GAIN) benchmarking study. IAD also participates in peer group discussions with the AuditDirector Roundtable (ADR) of the Corporate Executive Board (CEB) and the Representatives of the Internal AuditServices of the United Nations Organizations and Multilateral Financial Institutions (UN RIAS).

The mandates of the oversight functions (IAD, IEG, andINT) are both distinct and complementary to betterinform and strengthen the oversight architecture of theinstitution. IAD’s mandate covers risk management,governance and internal controls while IEG and INTfocus on evaluation of development effectiveness andintegrity risks of WBG projects. Taken together, theybetter inform and strengthen the oversight architectureof the institution. Coordination of risk coverage with

other oversight functions (INT, IEG) is a key tenet of IAD’s risk assessment and Work Program delivery process. Theobjective is to engage in both upstream and downstream collaboration to optimize risk coverage, reduce potential foroverlap, and drive valuable insights for the organization.


Organizational Independence


The Chief Audit Executive must report to a levelwithin the organization that allows the internal auditactivity to fulfill its responsibilities. The Chief AuditExecutive must confirm to the Board, at leastannually, the organizational independence of theinternal audit activity.

IIA Standard 1110 –Organizational Independence

Staffing and Budget

IIA Standards on Organizational Independence (Standard1110) requires that the Chief Audit Executive mustconfirm to the Board, at least annually, theorganizational independence of the internal auditactivity.

IAD reports to the President and is under the oversightof the Audit Committee, acting on behalf of the Board.The Audit Committee is responsible for the review ofIAD’s Terms of Reference, Annual Work Program and theresults of IAD’s work. In addition, the Vice President andAuditor General has free and unrestricted access to theBoard through the Audit Committee.

IAD continued to leverage internal efficiency gains to fully deliver its FY14 Work Program, within a flat budget envelopeof $11 million. In line with the institutional ‘One World Bank Group’ theme, to achieve greater efficiency, andeliminate working in silos, during FY14, IAD strengthened its delivery model to provide for greater fungibility andinternal mobility of staff across functional areas. Consistent with leading practices and the approach followed in prioryears, IAD leveraged external subject matter expertise for highly technical IT and business areas.

This reporting relationship has permitted appropriateorganizational independence for IAD to fulfill itsprofessional responsibilities.

7. Appendix A FY14 Work Program Overview


The FY14 Work Program was designed to focus on themost significant risks for the institution, consistentwith the IIA’s International Standards for theProfessional Practice of Internal Audit (PerformanceStandard 2010), which requires the Chief AuditExecutive to establish risk-based plans to determinethe priorities of the internal audit activity, consistentwith the organization’s goals. The objective was toprovide balanced coverage of core operationalprocesses, corporate and finance areas, andinformation technology.

The development of IAD’s FY14 Work Program wasundertaken through a comprehensive risk assessmentprocess and extensive consultations withmanagement. IAD’s risk assessment was driven by anumber of qualitative factors such as: (i) linkage tostrategic objectives and internal reforms; (ii) pace ofchange within the area; (iii) extent of fiduciaryresponsibilities; (iv) complexity of the process; (v)potential impact of external events; and, (vi) resultsfrom IAD’s prior reviews and known risk mitigationmechanisms. In determining audit priorities, IAD alsotook into account areas of focus for the President andthe Audit Committee.

Twenty-four engagements were completed duringFY14 comprising reviews of key end-to-end businessprocesses, spanning operations, corporate andinformation technology areas. These included eightGroup-wide process reviews, ten IBRD/IDAengagements, five IFC specific reviews, and one MIGAengagement.

Appendix B lists all IAD engagement reports issued inFY14. Figure 1 shows the Work Program break-downby World Bank Group entity for FY14, and Figure 2shows the Work Program break-down by World BankGroup entity for the three year period FY12-FY14.

In FY14, relative to the previous years, IAD increasedits proportion of Group-wide engagements, to draw

7. Appendix A: FY14 Work Program Overview

broader thematic conclusions as well as compare andcontrast practices across entities. Consequently therehas been a reduction in specific coverage of each entity(IBRD/IDA, IFC, and MIGA), relative to FY13.

Appendix C provides a snapshot of IAD’s coverage ofkey risks in the three-year period FY12 to FY14, mappedto WBG risk taxonomies.

Figure 1: FY14 Work Program Breakdown by Entity (based on staff days)

Figure 2: FY14, FY13, and FY12 Work Program Breakdown by Entity (based on staff days)

WBG37% IBRD/IDA

43%

IFC17%

MIGA3%

44% 36% 43%

27%24% 17%

7%

2% 3%

22%38% 37%

0%

20%

40%

60%

80%

100%

FY12 FY13 FY14WBG MIGA IFC IBRD/IDA


7. Appendix A: FY14 Work Program Overview

Figure 3: Alignment of IAD’s FY14 WBG Coverage with WBG Change Agenda

The new WBG strategy is designed to reflect a moreunified institution built on the common twin goalsof Ending extreme poverty and Boosting sharedprosperity, while respecting the distinct mandatesand strengths of each WBG entity.

A major institutional change process is underway todrive internal reforms and realign and repositionthe WBG to implement the new strategy. Given thesignificance of the ongoing change process, IAD’sFY14 risk assessment exercise was underpinned bythe following additional considerations: (i) focusingour advisory work primarily on areas where IADinvolvement can add value to the institution and

WBG goal - Deliver the best development solutions that will help end extreme poverty and boost shared prosperity

Help clients tackle the most important challenges

Become the Solutions WBG

Work in partnership

Build financial strength

Enhance KLI

Deliver transformative IT

Align leadership, culture and values

Advance talent management

IBRD/IDA: Resource Allocation Process for Project Implementation Support, Management of Legal Risks, Disbursement Assurance Framework (DAF), INT Independent Advisory Board (IAB), Retrospective Review of the Operational Risk Assessment Framework (ORAF) Implementation, Safeguard Risk Management. IFC: Environmental and Social Risk Management in Projects, IFC’s Corporate Scorecard.

the ongoing change initiative; (ii) providingassurance on governance and control effectivenessfor key business areas that are subject to relativelyless significant change; (iii) continuing to closelymonitor emerging risks within dynamically evolvingareas as part of IAD’s continuous risk monitoring;and (iv) providing for bandwidth within the WorkProgram to absorb management requests foradvisory natured engagements during the course ofthe year.

IAD’s FY14 Work Program remained well aligned tothese institutional change focus areas. Figure 3below provides an overview of IAD’s FY14 coverageof the WBG Change Agenda components.

WBG: Cyber Threat Management and Preparedness, UNIX Server Platform, Internal Network Security.

WBG: Open Data Initiative, Records Management

WBG: Country Office IT Operations, Data Privacy, Cloud Computing

WBG: Diagnostic review of the Jointness, IT Integration

IBRD/IDA: Review of Partnership Program Management Cost

IFC: Management of Staff Directorships

IBRD/IDA: Management of Fees for Reimbursable Advisory Services (RAS), Management of Ineligible Expenditures of Bank-Funded Projects, Process for Net Income Forecasting. IFC: Management of Funding Operations, Management of Market Risk in Equity Portfolio. MIGA: Process for Pricing Guarantees


The FY14 assurance engagements were rated inaccordance with IAD’s ratings framework.

IAD actively supported Management’s Changeinitiatives during FY14, and consequently there was anincrease in the overall proportion of advisoryengagements as compared to the previous years.

The following engagement level ratings were used forFY14:

Satisfactory – Internal Audit identified nosignificant issues related to the design of controlsor to the proper functioning of controls asdesigned. If issues were noted, they wereconsidered minor in nature.

Needs improvement – Internal Audit identifiedissues related to the design of the controls and/orIn the functioning of the controls. Although noneof these issues, either individually or in theaggregate, indicate significant weaknesses,management should address these issues in atimely manner to further strengthen the systemof controls.

Unsatisfactory – Internal Audit identified issuesthat indicate significant weaknesses in the designand/or operating effectiveness of controls.Management should take immediate action toestablish a satisfactory system of controls.

Summaries of engagement outcomes were included inthe quarterly reports provided to the President and tothe Audit Committee. Full audit reports for assuranceengagements rated “Unsatisfactory” weresystematically circulated to the President and to theAudit Committee for discussion.

Figure 4: FY14 Engagement Ratings by Entity

7. Appendix A: FY14 Work Program Overview (continued)

WBG 8

► Satisfactory 3

► Needs Improvement 3

► Unsatisfactory 0

► Unrated (Advisory) 2

IBRD/IDA 10

► Satisfactory 2




IFC 5

► Satisfactory 2



► Unrated (Advisory/Memo) 1

MIGA and ICSID 1

► Satisfactory 1




24

8. Appendix B IAD Reports Issued in FY14


-------------------------------------

*As per paragraph 16 (d) of the Bank’s Access to Information Policy, July 1, 2010, audit reports prepared by IAD shall not be publicly disclosed, except its

finalized Annual and Quarterly Activity Reports.

WBG Engagements

No. Entity Engagement Title Report No. Date Issued

1 WBG Audit of the WBG Records Management WBG FY13-07 Aug 15, 2013

2 WBG Audit of the WBG Open Data Initiative WBG FY14-01 Oct 10, 2013

3 WBGReview of WBG Information and Technology Solutions Integration – Risk Management

WBG FY14-02 Dec 4, 2013

4 WBG Audit of WBG Internal Network Security WBG FY14-03 Feb 25, 2014

5 WBG Audit of WBG UNIX Server Platform WBG FY14-04 April 4, 2014

6 WBG Audit of Cyber Threat Management and Preparedness WBG FY14-05 Jun 27, 2014

7 WBG Audit of WBG Country Office IT Operations WBG FY14-06 Jun 30, 2014

8 WBG Review of WBG Cloud Computing WBG FY14-07 Jun 30, 2014

8. Appendix B: IAD Reports issued in FY14


-------------------------------------



IBRD/IDA Engagements


9 IBRD/IDAOverview of the Bank's Resource Allocation Process for Project Implementation Support

Internal Audit Memo

Aug 15, 2013

10 IBRD/IDA Audit of the Bank’s Management of Legal Risks IBRD FY14-01 Dec 16, 2013

11 IBRD/IDA Review of the Disbursement Assurance Framework (DAF) IBRD FY14-02 Feb 3, 2014

12 IBRD/IDAAudit of the Bank’s Management of Fees for Reimbursable Advisory Services (RAS)

IBRD FY14-03 Feb 5, 2014

13 IBRD/IDAReview of the Bank’s Oversight of the Costs and Expenditures of Partnership Program Management and Administration

IBRD FY14-04 Apr 10, 2014

14 IBRD/IDA Review of Operational Risk Assessment Framework (ORAF) IBRD FY14-05 May 28, 2014

15 IBRD/IDAReview of the Integrity Vice Presidency INT Independent Advisory Board (IAB)

IBRD FY14-06 May 30, 2014

16 IBRD/IDAAudit of Management of Ineligible Expenditures of Investment Project Financing

IBRD FY14-07 Jun 28, 2014

17 IBRD/IDA Audit of IBRD’s Net Income Projection Process IBRD FY14-08 July 10, 2014

18 IBRD/IDAReview of the Bank’s Environment and Social Risk Management

IBRD FY14-09 July 15, 2014



-------------------------------------



IFC Engagements


19 IFC Audit of IFC's Management of Funding Operations IFC FY14-01 Oct 16, 2013

20 IFCAudit of Environmental and Social Risk Management in IFC Projects

IFC FY13-09 Oct 21, 2013

21 IFC Audit of IFC's Corporate Scorecard IFC FY14-02 Jan 14, 2013

22 IFCAudit of IFC’s Nominee Directorship and Fund Committee Membership

IFC FY14-03 Jun 3, 2014

23 IFCMemo on IFC’s Management of Market Risks in Equity Portfolio

Internal Audit Memo

Jun 5, 2014


MIGA Engagements


24 MIGA Audit of MIGA Process for Pricing Guarantees MIGA FY14-01 Jan 6, 2014

9. Appendix C IAD’s Coverage in FY12-14


Appendix D: IAD’s Coverage in FY12-14

IAD’s Coverage in FY12-14

#WBG Risk Taxonomy

FY14 Engagements FY13 Engagements FY12 Engagements

STRATEGIC EFFECTIVENESS

1 Strategy andPlanning

• IT Integration • Bank and IFC Corporate Budget Processes

• Bank Corporate Scorecard

• Information Management and Technology (IMT) Strategy Implementation

• Bank Knowledge Portfolio Management

2 CorporateGovernance, Accountability, and Organizational Structure

• IFC Development Indicators and Corporate Scorecard

• Management of Integrity Due Diligence in IFC's Projects

• Management of World Bank Group (WBG) Offshored Corporate and Back Office Functions

• Quality Assurance Process for Investment Lending Operations in IBRD/IDA

• IFC’s Risk Management Process for Decentralized Investment Operations

• Fund Management Operations of IFC Asset Management Company (AMC), LLC

OPERATIONAL EFFICIENCY

3 Operational Areas and Policy Framework

• Retrospective Review of ORAF Implementation

• Fee Management of Reimbursable Advisory Services (RAS)

• Management of Operational Waivers in Bank Projects

• WBG Management of its Climate Investment Funds (CIF) Activities

• Management of IFC’s Performance Based Grant Initiative

• Management of Climate Change Operations

• Institutional Framework for Managing Financial Activities in Country Offices (IFC)

• Bank’s Management of Rapid Response Operations

• World Bank Group (WBG) Framework for Policies and Procedures

• Institutional Control Framework for Financial Activities of Country Offices(Bank)


Appendix D: IAD’s Coverage in FY12-14 (continued)

IAD’s Coverage in FY12-14 (continued)

#WBG Risk Taxonomy



4 Implementation/Supervision

• Management of IneligibleExpenditures of Bank-Funded Projects

• Resource Allocation Process for Projects’ Implementation Support

• Regional Integration Projects in the Africa Region

• ICSID's Case Management Process

5 Environment and Social Safeguards

• Safeguards Risk Management

• Environmental and Social Safeguard Risk Management in IFC and MIGA projects

6 Fraud and Corruption Risks

• Review of INT Independent Advisory Board (IAB)

• Bank's Operational Framework for using Investigation Results in Bank Funded projects

7 FM, Procurement, and Disbursement

• Disbursement Assurance Framework

• Bank’s Fiduciary Monitoring of Bank-Funded Projects Through External Financial Audits

• Management of Procurement Risk for Bank-Funded Projects

8 Management of External Funds

• Partnership Program management Costs

• Commitments and Disbursements of Below-the-Line Grant Making Facilities

• Bank Financial Intermediary Funds (FIFs) Disbursements

9 Human Resources

• WBG Staff Financial Assistance Programs

• Bank HR Systems Renewal Program

• HRS Global Staff Mobility Processes and Infrastructure

• HR Integration




#WBG Risk Taxonomy



10 Information Technology

• Unix Operating System

• World Bank OpenData Initiative

• Country Office IT Operations

• Cloud Computing• Cyber Threat

Management and Preparedness

• Data Privacy

• Management of Global IT Communications

• WBG IT Integration• Bank and IFC Bank Windows

Server Platform

• World Bank Data Management

• Bank's Server Virtualization • SAP Upgrade Project• IFC Data Management• IFC's Server Virtualization• Post-Implementation Review

of the MIGA Guarantee System

11 Corporate Areas: (i) FinancialReporting

• Bank’s Internal Controls over External Financial Reporting

• Bank's Disclosure Controls and Procedures over External Financial Reporting

• Bank's Internal Controls over External Financial Reporting

• Bank's Disclosure Controls and Procedures over External Financial Reporting

• IFC's Internal Controls over External Financial Reporting

• MIGA's Internal Controls over External Financial Reporting

Corporate Areas:(ii) Other Corporate Areas

• Bank’s Management of Legal Risks

• WBG Records Management • Selection and Use of

Consultants for Operational Purposes by WBG Entities

• Loan Accounting Operations

• Management of World Bank Group (WBG) Vendors

• World Bank Group (WBG) Pension Plan Administration

• World Bank Group (WBG) Pension Plan Investments




#WBG Risk Taxonomy



12 Security and Business Disruption

• WBG Internal Network Security

• Emergency Relocation/ Evacuation Process in WBG Country Offices

• Bank Mobile and IFC Computing

• World Bank Group (WBG) Business Continuity Management

• World Bank Group (WBG) Management of Two-Factor Authentication

• World Bank Group (WBG) Network Perimeter Security

STAKEHOLDER SUPPORT

13 Stakeholder Support

• Management of IFC Staff Directorships

• World Bank Group (WBG) External Web and Social Media

• Reserves Advisory and Management Program (RAMP)

• Portfolio Analytics Tool: Version 2 (PAT II)

FINANCIAL SOUNDNESS

14 Financial Risks • Process for Pricing MIGA Guarantees

• Bank Process for Net Income Forecasting

• IFC – Management of Market Risks in Equity Portfolio

• IFC – Management of Funding Operations

• Bank Capital Markets• Management of Finance

Systems Renewal• IFC Liquid Assets and Cash

Management • IFC' s Loan Collateral

Management Processes• Counterparty Credit Risk

Management

• Audit of MIGA’s Portfolio Risk Monitoring and Reinsurance Processes

• IBRD’s Market Risk Management Process

• IFC’s Process for Credit Risk Management

• IFC’s Asset and Liability Management Framework

• IFC’s Treasury Valuation Process• IFC's Investments in Private

Equity Funds• IFC's Structured Finance

Operation• IFC's Profitability Measurement

http://web.worldbank.org/WBSITE/EXTERNAL/EXTABOUTUS/IDA/0,,contentMDK:21443082~pagePK:51236175~piPK:437394~theSitePK:73154,00.html

http://web.worldbank.org/WBSITE/EXTERNAL/EXTABOUTUS/IDA/0,,contentMDK:21443082~pagePK:51236175~piPK:437394~theSitePK:73154,00.html

10. Appendix D Alignment of IAD’s FY15 WBG Coverage with WBG Change

Agenda


-------------------------------------



10. Appendix D: Alignment of IAD’s FY15 WBG Coverage with WBG Change Agenda

WBG Change Agenda Item

IAD’s WBG Coverage

Help clients tackle the most important challenges

• Processes for collection of country level poverty data.• Identification and monitoring of problem projects in the Bank.• Bank’s management of financial intermediary lending.• IFC’s framework for gathering, analyzing and utilizing client information.

Become the Solutions WBG

• Processes for delivering Bank knowledge products.• Management of IFC’s PPP advisory services projects.

Work in partnership • WBG processes for donor reporting on operations.• Risk and controls mapping within the trust fund lifecycle.

Build financial strength • Capturing, recording and monitoring of costs in Bank systems.• Expenditure review (ER) work on norming in Bank’s country office

operations.• Use of externally financed outputs in IBRD operations.

Enhance KLI • Processes for delivering Bank knowledge products.• Management of PPP advisory services projects.

Deliver transformative IT • PeopleSoft post-implementation business processes review.• Cloud computing infrastructure and integration.• Pre-implementation review of IBRD/IFC Joint Cash Management system.

Align leadership, culture and values

• WBG processes for managing operational risks (risks relating to people, processes and systems – distinct from risk within WBG operations).

• WBG processes for conflict of interest management.• MIGA integrity due diligence.

Advance talent management

• Specific assurance work in this area has not yet been built into the Work Program, recognizing that the related HR strategic initiatives are underway. IAD will reassess this as part of its continuous risk monitoring.

fiscal year report 2014 - world bank · fiscal year report 2014 internal audit vice presidency ......

Documents